#!/usr/bin/perl -w

use strict;
use XML::RSS;
use LWP::Simple;
use Data::Dumper;
use Net::Abuse::Utils qw(:all);
use Regexp::Common qw/net/;
use DateTime::Format::DateParse;
use DateTime;
use Net::DNS;

use CIF::Message::Infrastructure;
use CIF::Message::Domain;
use CIF::Message::MalwareURL;

my $timeout = 5;
my $res = Net::DNS::Resolver->new(
    nameservers => ['8.8.8.8'],
);

my $partner = 'malwaredomainlist.com';
my $url = 'http://www.malwaredomainlist.com/hostslist/mdl.xml';
my $content;
my $rss = XML::RSS->new();

$content = get($url);
$rss->parse($content);

foreach my $item (@{$rss->{items}}){
    my ($url,$addr,$asn,$desc) = split(/,/,$item->{description});
    $url =~ s/Host: //;
    $addr =~ s/ IP address: //;
    $desc =~ s/ Description: //; 
    if($url =~ /^\-/){
        $url = $addr;
        $addr =~ /^($RE{net}{IPv4})/;
        $addr = $1;
    }

    my $detecttime;
    if($item->{title} =~ /\((\d{4}\/\d{2}\/\d{2}_\d{2}:\d{2})\)/){
        my $t = $1;
        $t =~ s/_/ /;
        $detecttime = DateTime::Format::DateParse->parse_datetime($t);
    }
    $detecttime .= 'Z';

    my $domain = $item->{'title'};
    if($domain =~ /^($RE{net}{IPv4})/){
        $domain = $1;
    } else {
        $domain =~ /^([A-Za-z0-9.-]+\.[a-zA-Z]{2,6})/;
        $domain = $1;
    }

    my $impact = 'malware url';
    my $uuid = CIF::Message::MalwareURL->insert({
        address     => $url,
        source      => $partner,
        impact      => $impact,
        description => $impact.' '.$desc,
        confidence  => 3,
        severity    => 'medium',
        restriction => 'need-to-know',
        alternativeid  => 'http://www.malwaredomainlist.com/mdl.php?quantity=50&inactive=on&search='.$domain,
        alternativeid_restriction => 'public',
        detecttime  => $detecttime,
    });

    my @rdata = CIF::Message::Domain::getrdata($res,$domain);
    foreach my $r (@rdata){
        my ($as,$as_desc,$network,$ccode,$rir,$dt);
        my $address = $r->{'address'};
        if($address && $address =~ /^$RE{net}{IPv4}/){
            ($as,$network,$ccode,$rir,$dt,$as_desc) = CIF::Message::Inet::asninfo($address);
        }
 
        my $impact = 'malicious domain';
        my $description = 'malicious domain '.$desc.' - '.$domain;
        my $type = $r->{'type'};
        my $severity = ($type eq 'NS') ? 'low' : 'medium';
        my $ddd = $domain;
        if($r->{'domain'}){
            $ddd = $r->{'domain'};
            $impact = 'suspicious nameserver';
            $description = $impact.' - '.$ddd;
            $severity = 'low';
        } 

        my $duuid = CIF::Message::Domain->insert({
            address     => $ddd,
            source      => $partner,
            confidence  => 5,
            severity    => $severity,
            impact      => $impact,
            description => $description,
            relatedid   => $uuid->uuid(),
            detecttime  => $detecttime,
            class       => $r->{'class'},
            type        => $r->{'type'},
            rdata       => $r->{'address'},
            ttl         => $r->{'ttl'},
            asn         => $as,
            asn_desc    => $as_desc,
            cidr        => $network,
            cc          => $ccode,
            rir         => $rir,
            alternativeid => 'http://www.malwaredomainlist.com/mdl.php?quantity=50&inactive=on&search='.$domain,
            alternativeid_restriction => 'public',
            restriction => 'need-to-know',
        });

        unless($r->{'type'} eq 'CNAME' || !$address || $address !~ /^$RE{net}{IPv4}/){
            CIF::Message::Infrastructure->insert({
                relatedid   => $duuid->uuid(),
                source      => $partner,
                address     => $r->{'address'},
                impact      => 'malware infrastructure',
                description => 'malware infrastructure '.$desc.' - '.$r->{'address'},
                confidence  => 2,
                severity    => 'medium',
                detecttime  => $detecttime,
                asn         => $as,
                asn_desc    => $as_desc,
                cidr        => $network,
                cc          => $ccode,
                rir         => $rir,
                restriction => 'need-to-know',
                alternativeid => 'http://www.malwaredomainlist.com/mdl.php?quantity=50&inactive=on&search='.$r->{'address'},
                alternativeid_restriction => 'public',
            });
        }
    }
    warn $uuid;
}
